Right now, online data privacy in America resembles a patchwork paradox.
Congress has yet to pass a single, comprehensive federal online privacy law. Such a law would establish how personal data should be collected, stored and protected online. As a result, individual states have taken matters into their own hands and have passed their own – creating havoc for any entity with an online presence.
Why it matters: The lack of a single national privacy standard means that requirements can change across state lines and apply inconsistently to any entity that collects our personal data. Consequently, this piecemeal approach to consumer data makes it hard to know what personal data is collected and how it’s used in each state.
As 2023 kicked-off, so too do a handful of new state privacy laws. Here’s what you need to know.
New State Privacy Laws Take Effect
While the wait is on for a comprehensive federal law, two states passed their own data privacy standards that went into effect at the start of the year:
- A newly amended law in California provides state residents even more control over the personal data that businesses collect – such as the right to know what is being collected and the right to limit the use and disclosure of sensitive personal information. California also established a first-of-its-kind state-level agency to implement and enforce it.
- Following in California’s footsteps, Virginia became the second state to enact a comprehensive consumer privacy law.
Following closely, three other comprehensive state privacy laws will go into effect later this year providing residents more control over the personal data collected by companies:
- Colorado and Connecticut are both implementing their own set of personal data privacy rights on July 1, which closely resemble Virginia’s law.
- Also drawing heavily from Virginia, Utah will round out the year by becoming the fifth state to enact comprehensive consumer privacy legislation on December 31.
Zoom out: By the end of 2023, five states will have enacted comprehensive consumer data privacy laws. While the laws have much in common – including the right to access and delete personal information and to opt-out of the sale of personal information – there are some inconsistencies that require businesses to establish different protocols for users in various states.
And the patchwork of state privacy laws is about to expand even further.
More Movement Expected on Data Privacy at the State Level
Here is where state data privacy efforts stand:
- At least nine other states have already introduced comprehensive data privacy bills this year – Massachusetts, Iowa, Mississippi, Indiana, Oklahoma, Oregon, Tennessee, New York, and Kentucky. And while the Mississippi proposal has failed to pass, Washington state and others continue to introduce and debate various comprehensive legislative proposals.
- At least five states are mulling over proposals to increase protections for children’s data – Connecticut, Oregon, West Virginia, Virginia, and New Jersey.
- At least seven states are considering proposals targeting other subsets of data, including the collection and use of health and biometric information – New York, Mississippi, Maryland, Oregon, New Jersey, Virginia, and Washington.
Americans have made it clear that data privacy is an important issue we’re facing, with 86% of consumers saying they want more control over their data. But the lack of a federal privacy law makes it difficult for us to keep track of who has access to what data and how it’s being used.
The Three C’s of Privacy
It’s time for Congress to pass a single comprehensive federal law that reflects the three C’s:
- Consistency: It must apply to all 50 states.
- Control: It must give Americans control of who can access their personal data and how they use it.
- Confidence: It must result in organizations taking reasonable steps to protect personal data from illegal access.
To find out more about our campaign to enact a federal privacy law – and to get involved – click here.
